Free tools and resources for Data Protection Officers!

Tag Archives for " compliance "

COPPA Compliance ? Steps by Companies to Protect Children?s Privacy

The Children?s Online Privacy Protection Act (COPPA) is a law created by the Federal Trade Commission to protect the privacy of children, specifically those under the age of 13. This legislation mainly requires parental consent for the collection or use of personal information of children and then outlines the responsibility of companies and websites in order to best protect these children.

The law was passed to address the growth of online marketing techniques that targeted children due to their lack of understanding of the potential negative outcomes of revealing their personal information online. In order to comply with COPPA and rightfully protect children?s personal information, companies are held to high standards in their practices. If your company falls under the scope of COPPA, the following steps will help you comply with this federal law.?

1. Clearly Display Parental Consent Options.?

Parental consent is necessary if your site engages with users under the age of 13 who may share their real identity with other users. In order to provide this consent, parents must submit a signed consent form, make a monetary transaction, call a toll-free phone number, or show identification to the company. Make these options easily accessible for the parent on the company?s website or app. Clear displays of this compliance will ensure your company is following COPPA law. 

2. Implement Information Security Procedures.?

COPPA mandates that organizations implement and maintain information security procedures in order to carry out its laws. Some steps towards these secure procedures include ensuring that third parties to whom children?s personal information is released also have the capacity to maintain the security and confidentiality of this information. Your company might have the means to protect this data but ensuring that the entities the information is shared with are also capable of this level of protection is vital. 

3. Securely Dispose of Unnecessary Data.?

If your company does not need to retain certain personal information, security procedures for properly disposing of this data are crucial. Personal information should only be retained for as long as reasonably necessary, and once said data is not needed, it should be properly disposed of. Unsecure disposals of information which are then attained by other entities could lead authorities back to your company, and ultimately your company may be deemed non-compliant with COPPA. If possible, minimize the amount of personal information collected to avoid problems like these. 

3. Honor Parents? Rights Regarding Their Children?s Information.?

Even if you have the parent?s consent, it is still important to recognize that they have ongoing rights to their children?s information. If a parent asks a company to do so, the company must allow them to review the personal information collected, provide them a way to revoke their consent, and delete their child?s personal information upon request. COPPA provides extensive protection for children and their parents and allows for revocation of consent no matter when or how the consent was originally provided. No data collected is as important as maintaining a good relationship with consumers and adhering to COPPA.  

COPPA is intent on protecting children under the age of 13 and will certainly crack down on companies who do not implement or maintain procedures to comply with the law. These 4 steps will go a long way towards preventing your company from violating COPPA and towards helping you protect children.??


At oneDPO, we solve privacy engineering problems and help companies approach privacy the right way. Currently, we provide tools to help Data Protection Officers (DPOs) handle Data Subject Requests (DSARs) at scale.

Processing Consumer Data Subject Requests Under CCPA: What Are Best Practices?

Along with the celebration of the New Year on January 1st, 2020 comes the implementation of the California Consumer Protection Act (CCPA).  This date is approximately 10 weeks away, but preparation for these new privacy laws must begin now.  In order to make sure your business is fully primed for this new landscape brought by the CCPA, here are the best practices when processing consumer data subject requests. 

Don?t Make It Hard on The Consumer.   

The CCPA lays out clear requirements of businesses for accessibility for the consumer, such as toll-free phone number and a ?Do Not Sell My Personal Information? link provided on the businesses? website.  These two methods are designated for submitting disclosure requests.  Follow the guidelines and do not add extra steps.  Complicating this further could result in fines. 

Have Clear Internal Policies and Procedures. 

When processing the consumers? request, it is important to include all of the proper information.  This involves, but is not limited to, who is responsible for collecting the data, reviewing it, removing the information that does not need to be disclosed, and fulfilling the request.  This should be standard procedure recognized by the entire organization.  This information then needs to be delivered precisely, followed by documentation of the company?s process.  One can never be too organized and careful.    

Be Transparent in Policy Language 

Starting on January 1st, 2020, businesses must provide their consumers with information relating to these new regulations.  Prior to January 1st, companies should be ready with updated privacy notices that clearly state how the CCPA affects their information collection and their consumers? privacy.  Once these notices are sent to consumers, formal documentation of these processes should be added on the company website.  It does not hurt to be over prepared for these new procedures required by the CCPA.   

Include All Required Information/Data. 

When dealing with private data that is then shared with a consumer, all requirements under the CCPA must be met.  This can include the category of the information, the specific pieces of personal data collected, the sources from which the data is collected, and the purpose of such data.  The business must be transparent and honest, regardless of the possible reaction by the consumer.  Furthermore, third parties with which the data is shared must be covered and the practices with which the company conducts the collection of the personal data stated.   

Include the Data Processors in The Mix. 

Once a consumer data deletion is requested, the business must now log this into the company?s database and then to it?s service provider.  The service provider must now be compliant with CCPA regulations during the business?s user data collection.  The provider is also liable to civil penalties for noncompliance under the CCPA.  In order to properly work alongside your service provider, notify them of your processes and procedures that will be implemented.  Working hand-in-hand with the provider will assure that neither you nor them are held as noncompliant.   

Implement and Maintain Security Practices. 

Review the company?s current security system and conduct exercises to simulate possible breaches.  If the security withstands and is successful, maintain the current system.  If there is any fault or mishap, implement new practices, software, hardware, etc.  The CCPA may entice hackers, as there are new clear pathways to obtaining personal data.  Consult with others in the industry to find the best way for storing, securing, and then accessing information collected.  Regularly review the practices and make sure all employees are aware of the guidelines in order to close all possible loose ends.    

The CCPA will require an approved budget, processes, and tools in order for organizations to properly function under these new regulations.  These 6 practices are vital steps for the well-being of your company moving forward! 


At oneDPO, we solve privacy engineering problems and help companies approach privacy the right way. Currently, we provide tools to help Data Protection Officers (DPOs) handle Data Subject Requests (DSARs) at scale.

What can we learn from Google €50 million fine?

On 21 January 2019, French data protection authority Commission Nationale de l?Informatique et des Libert?s (CNIL) imposed a penalty in amount of ?50 million onGoogle?s U.S. headquarters ? Google LLC ? for infringements of General Data Protection Regulation (GDPR). Specifically, for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

Continue reading »